Posted
by
kdawson
on Tuesday April 27, 2010 @01:56PM
from the catch-me-if-you-can dept.

An anonymous reader tips a writeup at KrebsOnSecurity.com detailing how purveyors of fake antivirus or 'scareware' programs have aggressively stepped up their game to evade detection. The posting is based on a report from Google's malware detection team (PDF). "Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent. ... In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010."

There are a number of well known AV software providers out there that have been around since the dawn of time (relatively speaking). F-Prot, Command, etc are all very good products and cost a few sandwiches a year.

I don't think I have to point this out, but for the sake of clarity: the point is not that the vast majority of people are straying away from known AV software providers to unknown software providers; it is that the vast majority don't know any better and believe what the computer tells them!

As someone who works PC repair I can tell you that many, if not most of these "fake AV" programs are getting installed via drive by. You see what most folks don't know is that ALL of the major OEMs cripple their PCs at the factory by installing them with automatic updates turned OFF. No why they do that stupid shit, who knows, but the result is a machine that is VERY badly out of date by the time the customer gets it. And of course since they don't know it has been crippled it will NEVER get updates until it gets hosed and comes to someone like me.

So they go to Walmart, Best Buy, whatever, and buy this machine that is as much as a year out of date with NO hope of getting updated, plug it in, and start using the "big blue E" which gets pwned within a couple of days to a month if they are lucky and only surf the major sites. The next thing they know when they turn on their PC there is this new "security tool" slapping them in the face and demanding money to go away. These things are seriously nasty and a royal PITA to kill, so they have to bring them to me.

But if you want someone to blame for the spread of this crap, it ain't the users this time. It would be like buying a new car and expecting to know that the shop rigged your brakes so a certain degree of incline will fail if they aren't re-calibrated. By the time the user gets a PC from the big chains often the 30 day crapware AV has run out, it is at least 6 months behind on security updates, and of course there is the fact that auto updates has been killed dead at the factory. You think if the government was worried about cyber-warfare and cyber-terrorism they would drop the hammer on those OEMs and make them have at least halfway sane security policies.

I deal with this stuff on a daily basis. I had a customer just the other day go home with a clean machine, with the latest version of Avira, AntiMalwarebytes, and SuperAntiSpyware installed and updated. All windows patches and updates installed. He was back two hours later. Surfing the web looking for UFC videos. Google served up a paid ad at the top of his search with his search terms. Of course he clicked it, and a with a bit of Adobe Flash magic, he had the Security Tools infection installed and hi

Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.

If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?

If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?

A/. reader probably not, but the general public ?

If there was any profit in it, you could easily create a scare campaign about DHMO which could turn very messy. People can be insanely gullible when you present things the right way.

Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.

Many mechanics rely on this not being true all the time. Cars and computers are magical things to many people, things that normal people aren't expected to be able to understand. These 'normal people' are simply used to trusting anyone, or anything now, that claims to be an expert on the subject.

Both mechanics and techs are wary that at some point they'll come across somebody who knows what they're doing but is just too lazy to do it themselves (which happens more with cars) who will out them (and potentially prosecuted them) if they try any charlatanry.

Yeah, I had my car in for an oil change at the dealership (I have free lifetime oil changes), 1 year ago they said I only had 1mm of brake pads left, then 3 months ago they said I had between 2-3mm of brake pads left. I think I have the *only* car that actually GROWS brake pads instead of wearing them down.

Needless to say, I don't let them do anything to my vehicle beyond the oil change.

My mechanic I already have a relationship with, he might be screwing me, but I already trust him to at least a certain extent; I let him fix my breaks after all.

I might trust my plumber who I hired to install a hot water heater when he tells me I need some doohickey (technical name) installed but not a guy who shows up at my door, and certainly not some popup from a web site.

People lose all common sense when they're dealing with something they think they're incapable of understanding.

It's not true, by and large, that people would be incapable of understanding if they sat down to take the time to figure it out, but in the cases of such an unequal informational playing field (you and your doctor, you and your mechanic, grandma and her computer tech) people are paying not just for service but for expertise, and that makes them vulnerable to this kind of exploitation.

Bad analogy for your angle, the water purification market uses that exact tactic and is alive and well.

That is exactly what the fake AV companies do (and some of the real ones)

But the real trick is most of the time people don't know they installed anything, their compare said it had problems click here to fix, and now they have more problems . . . but those can be fixed by buying full pro version.

Actually there are some places where water purification is necessary. Go to Moline, IL and see how you like the tap water. Is it safe? Of course, but it's nasty. Water purification companies never say that the alternative isn't 'scary unsafe' just that the purified water tastes better, and compared to some places, it might.

Actually there are some places where water purification is necessary. Go to Moline, IL and see how you like the tap water. Is it safe? Of course, but it's nasty. Water purification companies never say that the alternative isn't 'scary unsafe' just that the purified water tastes better, and compared to some places, it might.

My GF has family in some two-bit rural town in southern Missouri, and their water is TERRIBLE. I can say, even without tasting the "purified" water, that it HAS to be better than the loc

Yea, but I've heard of Britta.... just like I've heard of Macafee (especially now!). They may or may not do anything, but at least they are popular and if they were total garbage, or actually bad for you, I would probably have heard of it.

Its when Joe shows up at my house selling Joe's super duper water purifier (It gets the things that Britta misses!) that I start to get really skeptical.

Oh my God! Who do I make that check out to again? No, can't wait for it to clear, let me just give you my mattress and you can take how much it is, OK, I can't number very well.

OK, seriously...

Remember that many of the victims of scams like this don't know any better. These aren't random people showing up at their houses, they are ads showing up on websites. But many don't even know that.

They only know that their "computer person" has told them to make sure their AntiVirus is working correctly, and that the computer has just told them that their AntiVirus has stopped working correctly but the nice warning offered to fix it for them. Many of the newer ones look pretty legitimate, too, and have multiple URLs so when you Google them fake review sites come up and gush enthusiastically about how great the product is.

I have a co-worker who has been hit by this. I support 2 co-workers' home computers. They are otherwise intelligent people who use the preconfigured computers here at work every day. I give them lists of free antivirus packages they can load, and the one who had the problem came in and told me that her subscription to n0d ran out, but that the computer had warned her to replace it with "AntiVirus 2010" which had a free trial, but she noticed that once she installed it the computer slowed down.

She's not dumb, just on the low end of computer literacy. She knew that she needed to avoid popups and to run an Antivirus client, but this specific popup looked like a dialog box and she knew that her AV was running out, so she assumed it was like all the other warnings Windows Seven likes to send her about updates and such.

When a person shows up to the door, people are skeptical because they don't know that person and don't have a business relationship with them.

If you already buy an expensive product from a reputable company; you are going to be far less skeptical about things you are told about that product, by that company. If you buy a new car from Ford and the 'ABS' light comes on - provided you know nothing about cars, other than how to drive them, to believe that there is something wrong with your brakes; compared to

Bad analogy because if you've never heard of the microbe there's something fishy, why hasn't there been any official alert? But everybody knows there are viruses on the Internet and that you have to protect yourself against them, it's a confirmed fact you should have anti-virus. If everybody had to filter their water and you offered the ultramagic superwhoopie cleanex filter 3000 for the low, low price of 199$ many people would buy it.

Its shocking though, nobody would trust someone in the real world telling you that you need something they are providing without some kind of double check.

If someone showed up at your house and told you that your water could kill because of some microbe you have never heard of that they claim is getting into your pipes and the only way to make yourself safe is to install this helpful filter that they are selling would you believe them?

A big difference is that the fake antivirus pop-ups aren't usually trying to sell you anything, they just want you to click OK! It's easy to click OK, and, for the average [clueless] user, just clicking OK doesn't feel nearly as risky as letting a stranger into your home, or buying a mysterious product.

I think most people just do a naive, clueless sort of risk assessment. If the pop-up is telling the truth, they really need the software. If the pop-up is lying... well, they're not directly paying anything and have no idea what could go wrong, so they assume it's not a problem. Therefore, they decide to click OK to install the software. To them, it's more like some random person standing on the sidewalk telling them, "You should walk on the other side of the street; there's a dead skunk halfway up the block and you really don't want to get near it." Eventually people will learn... but it may take a few generations.

A big difference is that the fake antivirus pop-ups aren't usually trying to sell you anything

Not sure what fake AVs you've seen, but all the ones I've run across will say you're infected with X amount of viruses, but you must purchase the full version to have them removed. Two clients I know have pulled out their CC to make the purchase. Big mistake!!! Once I've informed them that they've been a victim of fraud, they agreed to contact their bank and have a new CC number issued. Obviously the original numbe

The "scan" window pops up and tells them that they've been infected BUT IT IS OKAY because all they have to do is click here and the nice software from the friendly company will remove the nasty viruses for them.

Yay!!!

This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.

This is just a side effect of the "real" anti-virus/security businesses having no interest in reducing/mitigating the "virus" threat. It makes too much money for them.

Said with all the arrogance and presumption of someone who knows exactly nothing of what they speak. Speaking as someone who spent over a decade as an anti-virus researcher and anti-virus engine developer, the truth is that it is infeasible for AV companies to keep up with the flood of (generated) malware that engulfs modern PCs... and, believe me, it's not for lack of trying. Have you ever seen how aggressively they complete over the VB100%* award?

Speaking as someone who spent over a decade as an anti-virus researcher and anti-virus engine developer, the truth is that it is infeasible for AV companies to keep up with the flood of (generated) malware that engulfs modern PCs... and, believe me, it's not for lack of trying.

Why spend 10 years trying to identify all the "bad" code when it should be far easier to identify the apps that you want to allow to run on your machine?

There are a number of well known AV software providers out there that have been around since the dawn of time (relatively speaking). F-Prot, Command, etc are all very good products and cost a few sandwiches a year.

For the same reason that "the Internet" is IE (or at least the IE icon) to some people.

I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.

I was once infected at my work computer, which runs Windows XP SP3, while visiting the website of a private porn torrent tracker, with lots of ads. I did not click any links or solicited the installation of the program, but somehow some sort of "Antispyware 2010" appeared there. It must have been a browser exploit or something like that. It wasn't too difficult to get rid of, I just needed Malwarebytes antimalware (the free version). Anyway, now I turn off Flash and JS before browsing porn at work.

They have a free scanner now. It's not the best AV, but it's good and no cost. I also recommend it because it is something users will trust. I mean after all, you pretty much have to trust your OS company, they could own your computer through any number of ways, they wouldn't need to use an AV program.

We've had a couple of these at work - not fake AVs, but some weird thing that seems to change the Active Desktop so that it looks like there's an antivirus window.

The funny thing is that they look a lot more like an anti-virus program than our actual antivirus. They have this really slick fake "scanning" window that looks like something Apple would come up with if they had to design an AV scanner, while our real AV software looks like a piece of junk some poor Russian hacker cobbled together. It's sad really; the fake AVs have Symantec beat in everything from total resource usage to looks.

They're like the face & fingerprint recognition software you see in movies & tv shows that display each and every face/fingerprint in its database to compare to the suspect image - looks great but completely impractical to waste CPU cycles by displaying the information it's searching through.

the fake AVs have Symantec beat in everything from total resource usage

I never thought I would defend Symantec after they got out of their compiler business and started pushing garbage, but it should be pointed out that the fake AVs aren't actually doing anything, and it is thus easy to win in total resource usage.

I never thought I would defend Symantec after they got out of their compiler business and started pushing garbage, but it should be pointed out that the fake AVs aren't actually doing anything, and it is thus easy to win in total resource usage.

And Symantec isn't doing anything practical either, or else this fake AV window wouldn't be showing up on my end user computers:)

We keep ignoring the lessons the past by using discretionary access controls instead of capability based security at our own peril. The users have no way of telling what the side effects of a program are going to be, nor do we have any way of limiting them. This is a spiral downward that will eventually force everyone to learn about capabilities and cabsec.

As a company gets bigger, it becomes harder and harder to ensure that people are educated and don't run crapware. The only real alternative is to lock things down and pull admin rights for most users. This way, should something stupid happen, it would require another security vulnerability to escalate to root/administrator, rather than just handing the keys to the city to any malware that infects a user. Plus, it is easier for A/V software to clean up an infected user profile than a rootkitted machine.

Pardon me, sir, but I would be remiss if I didn't inform you that you have clearly contracted a rare disease that will kill you painfully in short order UNLESS you pay me to inject this substance into you. You can trust me, I'm a doctor.

....

Why is it that virtually nobody would fall for that in meatspace, but innumerable people fall for it online? It's just like the 419 scams. What is it about THE INTARWEBS that makes people exponentially more gullible than they would be to a random person on the street?

Doctors, celebrities, what's the difference in the consumer's mind? Case 1: Dr. Dre. Case 2: "Of course Hugh Laurie is a doctor. He plays one on House M.D." Case 3: People with a doctorate in something other than medicine or osteopathy.

I've noticed something similar about words in print. If someone reads something in a book, it is taken as fact.. why else would it be in a book? When i was younger, Michael Chrichton books did that to me. Now i see it happening to other people.

This is what we get for portraying viruses in movies as LSD-trip-colored renditions of Leonardo da Vinci's Vitruvian Man spouting villainistic drivel. Too bad pop-up windows saying "Click here!" with flashing yellow warning icons just don't seem to connect with movie-goers the same way.

I have informed everyone I do family and friends tech support for... they must either switch to linux or a Mac with OSX. the new internet security 2010 is an evil bastard that even kills the safe mode so you have to use a Bart PE to run combifix first and then reinstall AV and run a clean.

Yeah, the AV2010 thing is extremely nasti. I've recovered 4 of these in one week-end. Fortunately, none of them required a complete reinstall of the OS. And then I had one hit by the MS update BSOD issue. I actually told them to leave their computer off, waited a couple of weeks for combofix to catch up and then fixed it.

I'm with you on being done with supporting home users of Windows; but minis start at $700, with 2GB of RAM and no monitor. Dell will furnish you with a (big, ugly) box with triple the RAM, a 1TB HDD(rather than 160GB), and a 20 inch flat panel for the same money...(getting a 2.8GHz Phenom X4 instead of a 2.3GHz Core2 duo is just icing).

The mini is cuter, certainly, and if you have to have OSX you have to have OSX; but the pricing is hardly equivalent for anybody willing to run linux or shove their comput

My wife's machine got hit last week.No idea where it came from.Been running for years with no problem.(NetGear router seems to keep the baddies out.)

All of a sudden there's a dozen dialogs flashing dire warnings about viruses and trojans and keyloggers and malware and insisting that we "register" our copy of XP security.

Pulled the network cable and started googling (from a linux box).The thing is pretty nasty.It scatters pieces of itself around the file system with random names.Then it hooks the.exe registry keys so that it gets control each time any program is run, and takes the opportunity to spawn a new copy of itself, with new dialog boxes and systray icons.

After you delete the program files, nothing runs at all, because the.exe keys are still trying to redirect through the files you just deleted.(Hint: right click -> run as).Then I fixed all the.exe (and related) keys by hand.There's quite a lot of them, because it is really important for each user on a windows box to have their own semantics for running a program.(Removal instructions on the web don't generally find them all.)

Finally (should have done this long ago) created an admin account and knocked all the user accounts down to user privilege level.

my mom's pc got one of these over the holidays while a teen cousin was surfing flash game sites. the pop-ups would not go away. at boot up pages wouldn't load because the warning box insisted on a click before progressing further. anti-malware had no effect, neither system restore nor anything else i could think of was successful.

even the computer shop was at a loss. after ten days the os required re-installation with a resultant loss of all data.

Same story here on my grandparents' PC. They got the HaxDoor virus (nasty little devil), and it made the computer randomly issue stop errors, until one day it wouldn't boot at all (more stop errors). A quick boot into Knoppix to save their pics to a portable HD, and a reinstall of XP later, and they were good to go. (In the future, remember that very few current viruses wipe or corrupt a hard drive, and it's damn near impossible to infect media files (there've been a few viruses that can do that, but all th

99%+ of scareware is from the same exact kit, and installs the same core exe program, (AV.EXE) in one of three fixed locations. (as super-hidden) This article itself is scareware. The av companies can detect every one of these every time they pop up, there's no "trying to keep up" with this. That's what happens when malware goes commercial as this has. Anyone happen to know offhand who's the source of this malware kit? (url?) I'd be curious to know how much such a kit sells for. Must be cheap if there

...if you're a Windows user who never has the intention of being a Linux user, at least take some good advice from we Linux users:

1. Don't use any Internet applications that embed themselves too deeply within the OS - this means *DEFINITELY* avoiding Internet Explorer and getting rid of Outlook where possible.

2. Stop using your PC with full admin rights - create a restricted user account for normal day-to-day stuff like surfing the Internet. If you don't have the permission to make big changes to Windows th

I work for an IT helpdesk at a large public university and we see students come through all the time with these programs. Realistically though, the installation vector we see the most is not the installation of programs from random websites; the majority get them from clicking a link to watch a movie (still in theaters) online or even through certain ads in Facebook. These programs have simply gotten extremely clever at tricking the end user.

Our clients get these from ad pop-ups. Generally, the 3rd party ad servers get hacked to serve out these fake AVs. So, sites such as CNN, MSNBC, Fox News, and Drudge Report is often thought to be the vector. They are not, but their 3rd party ad subscriptions are! What's worse, is that these browser instances often look like legit program update windows (Java, Flash...etc). So a user goes to install the "update" and that's when the real fun begins.

Our clients get these from ad pop-ups. Generally, the 3rd party ad servers get hacked to serve out these fake AVs. So, sites such as CNN, MSNBC, Fox News, and Drudge Report is often thought to be the vector. They are not, but their 3rd party ad subscriptions are!

Generally, no. Generally, the reason is that the advertisers and their site owners rarely truly care. Have you seen the utter shit, spam, fakes, frauds that masquerade as Facebook ads, however often you click "X" and report it as "misleading / deceptive". Seriously, go to apple.com/store. Look for the neon green MacBook Air. You know, the one you can "test/review then keep for free"...

Pirated movies? Facebook? How about the New York Times [slashdot.org]?

In this case the software was distributed through one of the on-line advertising systems that feeds ads to the Times. The fact that serious, reputable publications like the New York Times don't automatically scan all third-party content like these advertisements and block those that contain scriping is just unconscionable to me. Ads with text, graphics, hell even animated GIFs, are okay in my book; scripts, no thank you.

They simply exploit a vulnerability in your browser or plugins. I've encountered one that tries to install something using Java, presumably just requiring a user to click OK to infect them. That's something that seems like it could be done accidentally. I wouldn't be surprised if it were trying to exploit some vulnerability that would auto-install the malware on older versions of Java. They probably use exploits in Flash as well. The plugins have the advantage of not being run in the IE sandbox that's used by default on Vista/7.

I went to change window focus by clicking on what I had thought was some white space in an article that I was reading, but realized it would normally be an ad spot. Another browser window opened (with the annoying OnClose warning) and I closed it. I noticed that Java loaded, and then a few minutes later Security Center lets me know my AV is turned off and all hell starts breaking loose.

Process Explorer and a few hours later I was back to normal (protip: malware "watcher" processes usually aren't smart enough to realize when they've been suspended. Comes in handy.)

The app must have exploited some Java vulnerability, but at this point I'm not really sure what one. It used the AT command to get what it wanted in terms of privileges and so on, and went to town on my local security policy.

In the end, I was a little pissed at myself, as I try to keep software updated to avoid vulnerabilities like that, but alas I finally got hit by one. Made me feel a little more capable of believing the [usually bullshit] story of "I was just using it when all of a sudden these things started popping up!"

On several occasions, I have also encountered those fake anti-virus scanners while using Linux. In each case, a pop-up or webpage claimed that they had detected that my computer was infested with viruses and spyware.In each case, the advertisement offered to do a free scan on my hard drive. Despite trying to say no or close the tab, it started to pretend to scan my drive C with a progress bar showing the progress. About a minute later, it had finished and announced that it had found several viruses and als

I've found that the majority of fake AV programs I've run across are fairly easy to remove -- boot the system in safe mode and login as a different user and you can generally run something like Sysinternals Autoruns and delete all the startup hooks and the programs they point to. Afterwards I've found that a scan by Malwarebytes and a quick check of the infected user's personal "Startup" folder in their profile is enough to ensure the stuff is deleted.

I still think there should be a course given for an Internet License. This way if you don't base(pass?),you're not allowed to go on the internet. Well, at least in large corporations/government facilities.

What really scares me is that this might really reflect the "upper crust" of today's government employee.

Architecturally, whitelisting is a great solution. In closed environments with fairly static requirements(eg. corporate) you can do it Right Now, if you want. And, while it won't save you from truly subtle attacks on the kernel or services, it blocks a fair percentage of common stuff good and hard.

The trouble begins when you try to implement it in the real world. Being the "they" who gets to bless all good programs is both a gigantic pain in the ass(requiring a massive staff of